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INTRODUCTION 


Science and technology are the agents of 
change and growth. In our economy, new 
technologies disrupt existing business models 
and make our economies more productive. 

The changes they bring have the potential to 
affect every aspect of our lives. These changes 
bring great opportunity and may also bring risk. 

Cyber security is an issue defined by scientific 
and technological change. Therefore it is critical 
that the UK has the scientific and technological 
capability needed to: 

• stay ahead of the risks posed by cyber 
attacks 

• inspire the next generation of cyber security 
products and services that will drive our 
digital economy, and 

• advise government on how policy needs to 
adapt to a changing technological landscape. 

We committed in the National Cyber Security 
Strategy (NCSS) to deliver a dedicated 
cyber security science and technology strategy. 
This Interim Strategy defines how we will: 

• IDENTIFY the technology areas that will have 
most impact on cyber security 

• DEVELOP the government’s policy response 
and the EXPERTISE base in government, 
academia and industry 

• ASSESS whether we are sufficiently 
responding to cyber security science and 
technology developments 


Our goals are to ensure: 

• the country has the cyber security science 
and technology capability and expertise 
needed to meet our security needs and 
inform policy making 

• we have a single authoritative voice that can 
assess the sufficiency of our national oyber 
seourity soienoe and teohnology oapability 
and identify signifioant oyber seourity soienoe 
and teohnology developments that require a 
polioy response 

• we are applying independent expert 
assuranoe so we have oonfidenoe in our 
ability to identify and respond to signifioant 
soienoe and teohnologioal developments and 
that polioy making is suffioiently informed by 
soientifio understanding 

• we have the right relationship with the oyber 
seourity and wider soienoe and teohnology 
oommunity in aoademia, industry and 
internationally to support the above and drive 
oontinuous improvements in our efforts 

This interim strategy reoognises and sets in 

train the oore aotivity that needs to take plaoe to 

inform the final produotion of the Cyber Seourity 

Soienoe and Teohnology Strategy, ineluding: 

• the produotion of a Researoh and 
Development Strategy and underpinning 
Researoh and Development Plan; and 

• establishing the framework and meehanisms 
to enable the publioation of NCSC oyber 
seourity horizon seanning 
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This process will also enable further 
consultation to take place with the wider 
community. 

This is a UK Government interim strategy. 
Where this strategy touches on devolved 
matters, we will work closely with the devolved 
Governments on its application to Scotland, 
Wales and Northern Ireland (respecting the 
three separate legal jurisdictions and four 
education systems, that exist in the UK). 
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OUR APPROACH 


Scope and Structure of this 
Document 


This public interim strategy sets out how 
the UK Government approaoh will integrate 
identifioation of emerging teohnologies and 
future teohnologies into its oyber seourity polioy 
making. This is not though a researoh strategy, 
whioh will follow. Rather the soope is all aspeots 
of oyber seourity polioy, inoluding researoh and 
development, as well as: 

• growth and innovation - and how best to 
make use of the opportunities presented 
by emerging oyber seourity soienoe and 
teohnology 

• oreating seoure and trusted systems to 
address the risks of emerging oyber seourity 
soienoe and teohnology 

• publio awareness of oyber seourity - and 
how best to ensure that the risks around 
emerging teohnologies are refleeted in our 
messaging 

• ensuring that oyber skills and expertise is 
suffioient to keep the UK safe and at the 
forefront of oyber seourity 

The applioation of soienoe and teohnology 
in the military or intelligenee domains is not 
ineluded in this publio strategy for reasons of 
olassifioation. While out of soope, we will ensure 
that improvements in UK oapability exploit the 
synergies of looking at soienoe and teohnology 
and our support and investment in Research 
and Development in a holistio manner. 


The soope is also striotly soienoe and 
teohnology in oyber seourity, so issues 
of privaoy more generally - although very 
important - are not addressed here. 

This interim strategy sets out how the UK 
Government is putting in plane the struotures 
and responsibilities needed to oontinuously 
identify and respond to signifioant teohnologioal 
developments with implioations for oyber 
seourity. Teohnology moves quiokly though 
and we reoognise the risk that we are already 
behind the ourve. Therefore, this interim strategy 
also takes a first step in identifying signifioant 
teohnologioal developments with implioations for 
oyber seourity and the response we are taking. 

In Part 1 we IDENTIFY a number of signifioant, 
developing teohnologies and themes. 

In Part 2 we DEVELOP some initial polioy 
responses to these. 

In Part 3A we set out a role for the new National 
Cyber Seourity Centre to ensure that we 
oontinuously IDENTIFY developing teohnologies 
with implioations for the UK’s oyber seourity 
and assess the UK’s oyber seourity soienoe and 
teohnology EXPERTISE. And in Part 3B we set 
out the role of the Department for Culture, 

Media and Sport (DCMS) to ooordinate efforts 
aoross the UK Government to ensure the UK 
has the right oyber seourity researoh oapability 
to underpin this expertise. Together, this will 
ensure we have the neoessary oapability within 
Government, industry and aoademia - inoluding 
the deep teohnioal expertise needed by the 
NCSC to keep paoe with and respond to the 
ohanging teohnologioal landsoape. 
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In Part 4 we set out a process to ASSESS our 
implementation of this interim strategy. This 
includes our strategic objectives, the metrics 
we will use to measure our performance and 
how we will use independent experts from 
industry and academia to assure the quality and 
sufficiency of our work. 

This approach, which connects the UK’s 
technical expertise with policy makers and 
provides independent assessment that 
the process is working, will be trailblazing. 

We hope it will be an exemplar of how the UK 
Government should do horizon scanning. 
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PART 1: IDENTIFY EMERGING 
TECHNOLOGIES AND TRENDS 


Key Technology Trends 


To remain effective, cyber security policy 
needs to be driven by science and 
technology horizon scanning. To guide the UK 
Government’s response to this technological 
change, the interim strategy identifies the 
technological developments most likely to affect 
the cyber security of the country and services 
industry the public rely on. 

Drivers for these technology trends include the 
decreasing costs of processing power, memory 
and storage; the use of cloud and flexible 
computing power; the proliferation of devices 
with sensors; and the convergence of enterprise 
systems with Operational Technology such as 
industrial control systems. 

To identify the significant technologies and 
themes outlined below, we consulted with 
academia, industry, and with technologists and 
other experts from across the UK Government 
science and technology community and the 
Devolved Administrations. There is a wealth of 
literature and reporting on future trends, and by 
harnessing these expert communities we were 
able to distil this to identify those areas that 
were consistently and defensibly identified as 
game changers for cyber security. 


Internet of Things (loT) and Smart Cities 

There are more devices connected to the 
internet than there are people on the planet, 
and as this trend continues the number of 
connected things will reach many tens of 
billions. The so-called Internet of Things (loT) 
will encompass all the devices we think of 
today as being part of the internet, but will go 
beyond these to include an array of sensors 
and actuators in smart-clothing, buildings, 
medical devices and a whole range of 
infrastructure. It is a very real possibility that 
every manufactured device in the future, from 
a lightbulb to a nuclear power plant, will contain 
one or more point of connection and will be 
part of the Internet of Things. 

Related to loT is the concept of a smart city 
- an urban development in which multiple 
information and communication technologies 
and Internet of Things (loT) solutions are 
integrated in a secure fashion to manage a city’s 
assets. This could include schools, libraries, 
transportation systems, hospitals, power plants, 
water supply networks, waste management, 
law enforcement and other community services. 
The goal of building a smart city is to improve 
quality of life by improving the efficiency of 
services and meet residents’ needs. 

This ubiquitous connectivity will present a 
number of cyber security challenges: 

• ensuring that all these devices and networks 
are built with security by default in mind 

• security of end point devices (especially given 
that many such devices will be small and 
have constraints on computation and power 
consumption) 
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• security of networks which rapidly 
change, gaining and losing end points and 
reconfiguring the network structure 

• identity management, authentication and 
authorisation of end point devioes 

• inseoure end points providing a greater 
attaok surfaoe as an entry point to networks 

• legaoy systems, where no or little attention 
was given to seourity oonsiderations 

Data and Information 

The ubiquity of oonneoted devioes will generate 
reams of data, with assooiated risks and 
opportunities. Data and Information is oentral 
to our digital sooiety. The sheer volume of data 
and the types of data stored have oreated 
new ohallenges, and this is likewise true of the 
information that oan be inferred from this data. 
Big Data refers to data arriving at high speed, 
in a range of formats and at high volume e.g. 
data from GPS satellites and radio telesoopes, 
tweets from Twitter, and online blogs and videos 
posted on YouTube. 

The data (and information) that will result 
from our hyper-oonneoted world will present 
tremendous opportunities to oarry out analysis 
whioh will revolutionise use of infrastruoture. 

We will see inoreased data oolleotion in the 
private seotor, spurred on both by the direot 
need for better business analytios and the 
market whioh allow suoh data to be monetised. 
With the expansion of loT, this will only 
grow. How this data and information flow 
is oontrolled, and who has aooess to it will 
present a range of opportunities and threats. 
The publio must have the oonfidenoe to know 
that data is being handled oorreotly, whilst 
at the same time we must not shy away from 
using the tools we have to deliver servioes to 
the publio and manage publio infrastruoture as 
effeotively as possible. 

Some key oyber seourity ohallenges are: 

• data needs to be oonsidered through its 
whole lifeoyole - inoluding appropriate 
storage, proteotion, use and disposal 


• data oolleoted for one purpose may 
subsequently find other alternative and initially 
unintended uses 

• data will be obtained from new and unusual 
souroes and the provenanoe of this data may 
be questionable 

Automation, Machine-learning and Artificial 
Intelligence (Al) 

To make full use of this data, sooiety will 
need to inoreasingly rely on Automation, 
Maohine-learning and Artifioial Intelligenoe 
(Al). Automation is where the need for human 
interaotion is limited or oompletely removed. 

This oan apply to oontrol systems, suoh as 
power plants and faotories, but also other 
IT and data-related prooesses. Automation 
oombines sensors and oontrol systems to 
enable oomplex sequenoes of operations to be 
performed in many different situations. Currently, 
these range from the programmes on domestio 
washing maohines to autopilot systems. 

Autonomous Systems are maohines and 
systems that have been automated. Augmented 
Systems or Automated Systems are systems 
with a degree of autonomy, but where human 
interaotion is still required. Cruise oontrol or an 
auto-parking faoility on a oar are examples of 
this. Both autonomous and augmented systems 
will beoome inoreasingly important. 

Maohine learning foouses on algorithms that 
oan learn from and make prediotions based 
on data. Suoh algorithms operate by building 
a model from data in order to make prediotions 
or deoisions. Maohine learning is a powerful 
enabler for automation. Al is broader than 
maohine learning and is both an enabler for 
automation but also the end goal for a fully 
automated system. 

Al has the potential to greatly improve 
produotivity; and there will be opportunities 
to use Al as a key tool in identifying and 
responding to oyber seourity threats. 
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Human Computer Interaction 

Even with automation and augmentation, there 
will be a need for human deoision making 
through interaotion with maohines, or Human 
Computer Interaotion. Visual user interfaoes 
are ubiquitous, in desktop oomputers, laptops, 
tablets and mobile phones as well as other 
eleotronio devioes. Speeoh reoognition is 
beooming more prevalent as an alternative 
or supplement to graphioal interfaoes. And 
integrating the presentation of data with the real 
world, so-oalled augmented reality, is already 
present in a limited number of applioations 
(mainly mapping and gaming). More and more 
uses will be found for this teohnology to enable 
people to more quiokly understand and interaot 
with their environment. 

These teohnologies will have wide implioations 
and will impaot on a range of polioy areas. 

For oyber seourity, they present risks whioh 
must be addressed: human vulnerabilities will 
be inoreasingly introduoed to networks and 
strong authentioation will be oritioal. 

Other Technologies and Our Ongoing 
Response 

There are other developments with oyber 
seourity implioations. Some, like the emergenoe 
of building management information, are already 
impaoting on the eoonomy. Others are just 
emerging at the outting edge of researoh. We 
have purposefully limited our initial list to the 
most signifioant and this will be kept under 
oontinuous review. 

Cyber seourity is also important to a number of 
other teohnology areas. Quantum teohnologies 
and finteoh are examples of these. We have 
fooused on other areas to the exolusion of these 
sinoe effeotive UK Government interventions 
are already ongoing (for example, the Quantum 
Teohnology Programme) or beoause we 
antioipate the market to deliver solutions (in the 
example of finteoh). 


Many of the polioy responses we present 
in Part 2 begin to take into aooount the 
oonneotions and synergies between the 
teohnologies desoribed above. As the UK 
Government develops future interventions 
these synergies will be inoreasingly inherent in 
our thinking. 


Risks and Opportunities 


Risks 

The devioes we oarry, wearable teohnology 
and the oonneotivity of the things with whioh 
we interaot will generate a vast amount of data. 
The seourity of this data must be ensured 
so that it oannot be aooessed illegitimately. 
Moreover, there oan be oonsequenoes in 
the physioal world if these teohnologies 
are malioiously exploited. The operational 
teohnology embedded in our oritioal national 
infrastruoture, for example, means that energy 
networks oould be affeoted. 

In 2015, a major automobile manufaoturer 
announoed a reoall for 1.4 million vehioles after 
a pair of haokers demonstrated to journalists 
that they oould remotely hijaok the oar’s digital 
systems over the Internet; and automotive 
oyber seourity researohers have presented 
a range of attaoks at seourity oonferenoes. 

With inoreased automation, the effeots of 
malioious oyber aotivity oould be oompounded 
- potentially undermining publio faith in these 
transformational teohnologies. The haoking of 
a vehiole through its networked entertainment 
system is a threat, but if that vehiole is part of 
a widespread autonomous system on whioh 
sooiety depends, the potential harm oould be 
greater. We will only able to reap the sooial and 
eoonomio benefits of these game ohanging 
teohnologies through building and maintaining 
publio trust and oonfidenoe that these 
teohnologies are seoure. 
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Opportunities 


The benefits of using the technologies identified 
means we know they will be adopted. There is 
an opportunity for the UK to be a world leader, 
capitalising on our expertise in cyber security 
and using security as a competitive advantage. 
Moreover, there are specific opportunities to 
address cyber security challenges through the 
use of emerging technologies. Machine-learning 
techniques and Al will analyse the data flowing 
across networks at scale to spot anomalies and 
threats, and will respond automatically within a 
fraction of a second to protect networks before 
damage is done. And improved understanding 
of human-computer interaction will ensure that 
cyber security experts monitoring networks 
are presented with information they need in the 
most effective way to make the right decisions. 

To understand the implications of these 
technologies and forecast the emerging trends, 
then develop and utilise them, will need a range 
of expertise and skills - some of which will be 
highly specialist. We must ensure that the UK 
as a whole has a workforce that can address 
these challenges and that our skills pipeline 
delivers enough talented and trained individuals 
who have a deep understanding of emerging 
technologies. 

Recent media stories highlight the impact that 
cyber attacks can have on the ability to deliver 
essential public services for our citizens. HMG 
must ensure that our policy responses properly 
address emerging technology challenges, 
whether an attack against critical national 
infrastructure such as a water treatment works, 
maliciously exploiting a vulnerability in an 
automated vehicle, or launching a cyber-attack 
from unsecured loT devices. This will allow us to 
ensure that the UK has a safe and secure cyber 
space; and also to use the opportunities these 
technologies present to make UK a world leader 
in cyber security. 
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PART 2: DEVELOP POLICY 
RESPONSE TO THESE EMERGING 
TECHNOLOGY TRENDS 


Our initial policy response to the risks and 
opportunities presented by the significant, 
emerging technologies identified in Part 1 
follows. This is not exhaustive, and across 
the UK Government and the Devolved 
Administrations we are continuously working to 
adapt and respond our efforts to technological 
changes. Here, we set out the key steps the 
UK Government is taking to keep pace with 
science and technology developments. In all 
of this we will work closely with the Devolved 
Administrations, taking account of where 
responsibilities are devolved and ensuring our 
approaches are mutually beneficial. 


Growth and Innovation 


We are committed to creating a growing, 
innovative and thriving cyber security sector 
within the UK but also internationally to create 
an ecosystem where companies start up, 
scale, and thrive in support of the UK’s national 
security and economic growth. 

We should take account of emerging 
technologies, threats and trends to keep the 
UK more competitive and a secure place to do 
business. By focusing our support for cyber 
security growth, research and innovation in 
part on those emerging technologies that 
represent the best opportunity we can ensure 
the UK remains a world leader for cyber 
security, which will benefit trade opportunities 
and international growth. The technologies 
we have identified will offer the greatest 
chance of keeping us ahead of the threat and 
have potential for future growth of the cyber 
security sector. 


We will be cognisant of emerging technologies 
when we deliver on our cyber security 
growth, research and innovation interventions 
in support of the National Gyber Security 
Strategy. For example, we will look to include 
issues related to emerging technologies in 
the ‘challenge list’ that the Gyber Security 
Innovation Centres will address. We will 
endeavour to ensure that places are included 
in initiatives such as the Academic Start¬ 
up Programme, helping to develop and 
commercialise ideas from academia which 
have potential solutions to the challenges 
and opportunities of emerging technologies. 
Furthermore, we will ensure as far as possible 
that the cyber Proving Ground initiative and 
Research Institutes address these emerging 
technology challenges, by testing new 
solutions and helping prepare them for use 
across the economy. 


Creating Secure, Trusted 
Technologies 


As our reliance on technology grows, so 
do the opportunities for those who would 
seek to compromise our systems and data. 
Responding to this threat and ensuring the 
safety and security of cyberspace is an essential 
requirement for the digital economy. 

The benefits of digital and modern devices will 
only continue if people and businesses feel 
safe and confident using online products and 
services. To make this happen, we want to see 
security embedded in technology and networks 
at the design stage, rather than requiring people 
and organisations to take action once they are 
in use. 
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The Department for Digital, Culture, Media 
& Sport (DCMS) is the lead UK Government 
Department (LGD) for the digital eoonomy, 
with responsibility for the seourity of oonsumer 
internet-oonneoted devioes and servioes, 
inoluding responsibility for setting the UK 
Government’s polioy position on seoure by 
default produets and servioes. 

DCMS will oarry out a review looking at the 
UK Government’s role in making sure the next 
generation of oonsumer oonneoted devioes 
and oonneoted servioes are ‘seoure by default’, 
The review will examine how we oan work with 
industry to inoentivise the adoption of ‘seoure 
by default’ design in devioes that oould be 
hijaoked or breaohed leading to data leaks or 
destabilised networks. 

DGMS will work with other departments (e.g. 
BEIS for the energy seotor) and the Devolved 
Administrations who have aooountability 
for speoifio areas suoh as CNI seotors, 
autonomous vehioles and oonneoted medioal 
devioes; and will also oontinue to work 
oollaboratively with international partners. It will 
seek authoritative teohnioal guidanoe from the 
National Gyber Seourity Gentre (NGSG) in its 
role as the National Teohnioal Authority. 


Focus: Connected Medical 
Devices 


Conneoted medioal devioes present a great 
opportunity. By eliminating the need for manual 
data entry, potential benefits inolude faster and 
more frequent data updates, diminished human 
error, and improved workflow effioienoy. All this 
will lead to better patient treatment, delivered 
more affordably, as well as the faster disoovery 
and implementation of effeotive innovations. 


Advanoes in olinioal support software, inoluding 
tools for healthoare professionals to make faster 
and more effeotive deoisions, have the potential 
to revolutionise the way oare is delivered. 

As examples, teohnology oan enable patients 
to self-monitor their oonditions from home, 
and oan identify when appropriate treatments 
or interventions oan prevent early-identified 
oonditions beooming more serious. 

However, inoidents suoh as the global 
WannaGry ransomware attaok in May 2017 
have reaffirmed the potential for oyber-attaoks 
to impaot direotly on patient oare. 

There is already a mature legislative and 
regulatory framework for medioal devioes. 
However, the extent to whioh oonneoted 
medioal devioes and other emerging 
teohnologies fit into this framework is a 
developing issue. 

Independent data seourity reviews by the 
Care Quality Commission and by Dame Fiona 
Caldioott, the National Data Guardian for Health 
and Gare, published in July 2016 - in partioular, 
the ten data seourity standards reoommended 
by Dame Fiona’s review. NHS Standard 
Contraot requirements, whioh oame into foroe 
in April 2017, to implement National Data 
Guardian’s review reoommendations and data 
seourity standards. 

Against this baokdrop, the potential for new 
teohnologies to transform the delivery of oare 
must be balanoed with the need to ensure 
digital produots are safe, ethioal, oarry the trust 
of those who use them and are not introduoing 
new oyber vulnerabilities whioh oould affeot 
essential servioes. 

To this end, the Department of Health is 
already working with NHS Digital and with the 
Medioines & Healthoare produots Regulatory 
Agenoy (MHRA) to simplify and olarify the 
steps whioh health and oare organisations and 
industry need to follow to bring innovative heath 
and oare software and oonneoted medioal 
devioes safely from development to adoption. 
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Focus: Connected and 
Autonomous Vehicles 


Connected and Autonomous Vehicle (CAV) 
technology will profoundly change the way we 
travel, making road transport safer, smoother 
and smarter. Connected vehicle technology 
lets vehicles communicate with each other 
or transport infrastructure. Automated vehicle 
technology enables vehicles to take over the 
driving task under certain circumstances. In 
the near future self-driving vehicle technology 
could enable vehicles to make journeys without 
requiring input from a human driver. 

The potential social and economic benefits 
of this technology are significant, through 
enhanced safety, productivity, efficiency and 
accessibility. There are also significant industrial 
opportunities which the UK is ideally placed 
to exploit thanks to our permissive regulatory 
framework, thriving automotive sector and 
excellent research base and innovation 
infrastructure. The UK is acknowledged as one 
of the top locations globally to develop and test 
these technologies. 

We recognise the opportunities and are taking 
an ambitious approach. This includes investing 
hundreds of millions of pounds in research, 
development and demonstration, including 
driverless car trials, which are helping to 
develop a better understanding of how these 
technologies interact with their environment 
and other road users. 

However, consumer trust is vital to the 
realisation of the potential benefits of CAV 
technologies. This includes trust in the physical 
safety of CAV users and other road users, 
as well as trust that privacy is respected 
and personal data is handled securely and 
appropriately. This will require a combination of 
measures, including cyber security. We need 
the full ecosystem to be adequately protected 
and able to detect, respond to and recover from 
security incidents. 


Ensuring industry has the skills and direction to 
adequately manage the risks associated with 
connectivity and automation is central to the 
strategy being adopted by Government. As a 
global industry, the automotive sector requires a 
consistent, global approach and we are already 
working to achieve this. 

The Government will provide direction and 
clear expectation to industry to ensure that 
vehicles safely communicate with the world 
around them, including other vehicles and road 
infrastructure. This will ensure that industry is 
able to use the expertise of the NGSC, including 
managing incident response. In particular 
Government: 

• Works with Industry: Continuing to 
engage industry through industry events, 
at board level and through trade bodies 
such as the SMMT; sponsoring an industry- 
led Automotive information exchange to 
promote and facilitate sharing of threat 
and vulnerability intelligence and solutions, 
through which a valuable link between 
industry and the NGSC can be maintained; 
promoting CERT-UK and CiSP functions 
as part of the NGSC offer to industry; and 
supporting industry bodies including insurers 
to develop a maturity assessment framework, 
which could enable the insurance industry 

to perform cyber risk assessments on 
automotive systems. 

• Working with international partners: 

Leading international engagement, including 
chairing a technical working group on cyber 
security and over-the-air updates within the 
World Forum for the Harmonization of Vehicle 
Regulations at United Nations Economic 
Commission for Europe (UNECE). 

• Provide guidance: We have published a set 
of high level security principles for CAV and 
Intelligent Transport Systems (ITS) setting out 
what we think good cyber security looks like; 
developing an automotive specific framework 
for security assessment, which will help 
industry to benchmark their products during 
the design and development stage; and 
developing guidance on how to manage risks 
in the supply chain. 
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Skills 


Having the necessary skills and expertise within 
the UK is critical to ensuring we are able to 
address emerging technology challenges and 
build the underlying research capability we will 
need to identify and respond to the next wave 
of technological developments. 

Key to this, the planned skills interventions 
of the UK Government must be geared to 
accommodate emerging technology and the 
changing technological landscape. Maintaining 
the skills pipeline in these emerging fields will 
offer the greatest chance of keeping us ahead 
of the threat and having the necessary skills and 
expertise in the areas with the highest potential 
for future growth. 

The course content for our Cyber Schools 
Programme will explore the use of specific 
modules that looks at emerging technologies 
and the basic cyber security skills needed to 
keep these technologies safe and ensure future 
cyber security specialists are equipped for 
upcoming challenges. 

The Apprenticeship Programme is being 
developed to address sector specific cyber 
needs in Critical National Infrastructure (CNI) 
sectors, guided by the apprenticeship standards 
already developed by the Skills Funding Agency 
(SFA). In considering the training content for 
these and other cyber apprenticeships, we will 
highlight sector specific needs related to key 
emerging technologies in relation to operating 
technology and human-machine interface. 

And as for cyber retraining, a review is currently 
taking place to inform future government 
intervention and how this can best be used 
to retrain adults to become cyber security 
professionals and provide an immediate boost 
to the cyber security workforce in the UK. 

Any future interventions will consider the key 
concepts and skills needed to keep emerging 
technologies safe 


To understand the main issues behind the 
skills gap and what actions will help mitigate 
them DCMS are developing a dedioated 
Cyber Seourity Skills Strategy whioh will look 
to strengthen the talent pipeline within and 
beyond formal eduoation. It will provide a plan 
to deliver an ambitious and oomprehensive skills 
programme and will outline the oomplementary 
roles of the UK Government, industry and 
aoademia to ensure a long-term supply of 
oompetent oyber seourity professionals to 
meet the ongoing, and growing, demand. 

This strategy will address the need to develop 
skills for emerging teohnologies at all levels 
of eduoation and will enoourage a oonsistent 
approaoh aoross the UK, working with the 
Devolved Administrations 

The deoision to have a separate oyber 
skills strategy highlights the importanoe the 
UK Government, in oooperation with the 
Devolved Administrations, plaoes on developing 
oyber seourity skills in general and the 
oommitment to ensuring that relevant training is 
inoorporated throughout the eduoation pipeline, 
inoluding in sohools, further eduoation and 
higher eduoation. 


Focus: Smart Cities 


Smart Cities are a oolleotion of teohnologioal 
innovations and initiatives, employing sensors 
and utilising greater oonneotivity to enable 
inoreased data oolleotion. The key goal of a 
Smart City is to improve the lives of oitizens by 
harnessing the power of data to more effeotively, 
effioiently and sustainably govern infrastruoture 
and servioes. 

Smart Cities must ensure that seourity 
oonsiderations are a oornerstone of the system. 
Aside from data loss, other potential effeots 
inolude those with malioious intent being able 
to gain oommand of a smart system or supply 
inaoourate data to intentionally disrupt servioes. 
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The UK Government will advocate a ‘secure by 
default’ principle in Smart City design. We are 
already doing a number of things to achieve 
this. The Department for Transport (DfT) are 
developing a cohesive Smart City narrative 
and action plan aimed at city leaders delivering 
smart systems. This programme will unlock 
some of the barriers local authorities face to 
deliver sustainable smart initiatives including 
cyber, physical and personnel security. 

The Digital Built Britain programme is 
concerned with the use of digital tools such 
as Building Information Modelling (BIM) in the 
design, construction and operation of assets 
within the built environment with the aim of 
forming a seamless technical link between 
individual constructed assets and the city 
environment, underpinned by coordinated 
technical standards. 

Other work includes the British Standards 
Institution (BSI) developing an additional 
standards, sponsored by CPNI, for Smart Cities. 
These standards will set out the requirements 
of a security-minded approach covering 
governance, physical, personnel and cyber 
security. Also, DfT have commissioned a Big 
Data Scoping study that investigates the how 
best to derive tangible transport benefits from 
Big Data and loT in Smart Cities. The study 
will include expert consultation on open data 
architectures and innovation platforms for 
Smart Cities. 


Helping Individuals and 
Organisations Secure 
Themselves 


We must ensure the public and all 
organisations, large and small, can protect 
themselves against the cyber threats from 
emerging technologies. loT devices are 
recognised as introducing vulnerabilities to the 
economy that the public could help address 
while protecting their own devices from abuse. 


The Cyber Aware brand will continue to be the 
unified voice of the UK Government on how 
the public and small business can best protect 
themselves from cyber-crime. We will seek to 
significantly magnify the range and impact of 
this kind of work where emerging technologies 
make this necessary, targeted at a range of 
business sectors and across segments of 
the public. 

It is important that our public awareness 
strategy takes account of behavioural and social 
sciences as well as technological cyber security 
S&T opportunities and risks. We need to 
understand more about the human behavioural 
vulnerabilities that cyber criminals will exploit 
in new technologies. We must understand 
more about how individuals will interact with 
new technologies to ensure the cyber security 
measures advised are appropriate. Departments 
will work with the NCSC and other experts to 
ensure this is achieved. 

The NCSC is well placed to ensure its advice 
to business, charities, universities and the 
public sector on how best to secure themselves 
will take account of the technology trends 
it identifies. 


Government Security 


Emerging technologies will have a direct 
impact on UK Government, the Devolved 
Administrations and local authorities, and how 
all parts of Government function. As security 
is transformed and strengthened across all UK 
departments and the Devolved Administrations 
we will ensure that new policies and processes 
are designed and delivered to take into account 
emerging technologies. This includes loT 
technologies which could pave the way for more 
connected devices to securely share data from 
within government buildings. 
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The bulk data (or Big Data) held across all parts 
of government will continue to be a priority with 
regards to cyber security. Working with the 
Devolved Administration and local authorities 
we will ensure that all government datasets 
are held securely, whether in data storage 
centres or hosted in the cloud. As all parts of 
government increases our use of the cloud to 
store data our policy and response will also 
need to be updated regularly, and we will fully 
consider the associated security needs of 
emerging technologies. 

The cyber skills gap also directly impacts all 
parts of government. We must attract and 
develop talent and ensure a much greater 
awareness of cyber security as a discipline 
within government in the UK. We are committed 
to building a strong security profession that 
focuses on the development of cyber skills and 
career pathways as a priority. Bringing new 
cyber talent into all parts of government will 
be done through a combination of recruiting 
external cyber skills, retraining those currently 
in other professions and ensuring a sustainable 
pipeline of cyber talent through the skills 
initiatives of the UK Government and the 
Devolved Administrations. The skills strategy 
and other initiatives for the wider economy will 
help ensure we are developing a strong training 
pipeline that will benefit the public sector as the 
UK’s largest employer of security professionals. 

We will ensure that all UK Government issued 
IT and digital devices are secure by default 
and that any new technologies and digital 
services deployed by the UK Government will 
be secure by default. As all parts of government 
continue to deliver more services online the 
UK Government will work to ensure that cyber 
security is built into all services to a baseline 
minimum standard. The UK Government will 
be open and transparent, so that the public are 
confident in their use of online digital services; 
and will continue to review cyber critical 
infrastructure to ensure that data of high levels 
of importance is secure. 


The Technology Gode of Practice lists 14 
guidelines that the UK Government must 
follow when designing, building and buying 
technology. The fourth item is dedicated to 
ensuring cyber security and is supported by 
additional guidance that outlines exactly how 
the UK Government should fulfil this. 

As all parts of government seek to make full 
use of emerging technologies, the issue of 
how we use innovation and ‘experimental’ 
technologies is important but has yet to be 
clearly resolved. For example, how does 
government within the UK decide where (and 
how) to draw the line between the desire to 
encourage innovation within public services, 
but also ensure that security is built into every 
stage of the development of citizen-facing 
products and services ensure that what 
individual departments and other government 
bodies are learning about emerging technology 
is shared across all parts of government. 

We will use the weight of UK Government 
procurement to spur innovation. That means 
making it easier for smaller companies to do 
business with government. It also means the UK 
government must be less risk averse in trialling 
and using new products. We will work with all 
parts of government, including the Devolved 
Administrations, to take a similar approach 
adapted to their circumstances. 
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PART 3A: CREATING A 
SINGLE AUTHORITATIVE 
UK GOVERNMENT VOICE FOR 
CYBER SECURITY SCIENCE 
AND TECHNOLOGY 


The National Cyber Security Strategy 
recognised that the UK Government needed 
to mainstream the use of horizon scanning to 
inform cyber security policy making. 

We are taking a series of steps to deliver this 
commitment based around the principles of 
(i) ensuring that policy making is informed by 
technical expertise on emerging technologies 
and (ii) that we continuously assure the extent to 
which policy makers make use of this advice. 

Firstly, in its role as the UK Government’s 
national technical authority for cyber security, 
the National Cyber Security Centre (NCSC) will 
be responsible for identifying significant science 
and technology developments with implications 
for all of the UK’s cyber security. 

The NCSC will publish regular advice on 
emerging technologies. As part of this they will 
work with Departments and agencies, including 
the Devolved Administrations, to help them 
consider future implications for cyber security 
policy making and Government operations. As 
such, the National Cyber Security Centre will be 
the single authoritative voice for cyber security 
science and technology. 

NCSC’s adoption of this role will help us 
overcome the complex nature of cyber security 
technologies and the difficulty that departments 
have traditionally experienced in integrating 
technology horizon scanning into their policy 
making due to more fragmented expertise and 
engagement with experts. 


In identifying significant science and technology 
trends, NCSC will take advice from a range 
of experts across all parts of Government in 
the UK and externally. NGSC will have strong 
connections with industry and academia 
to ensure it has access to the best minds 
and will continuously improve how it works 
with the intelligence and military community. 

It will work with experts across the UK 
Government, including Chief Scientific Advisers, 
the intelligence and military communities and 
the Office of the Chief Scientific Adviser for 
National Security. It will bring together cyber 
security experts with knowledge of physical 
security and behavioural science to ensure we 
consider cyber security as part of the wider 
security landscape. 

Partnership with these groups will be key 
to maintaining the NCSC’s capability on 
horizon scanning. This will also allow NCSC 
to help shape the capability and expertise 
building outside of Government. NCSC will 
collaborate internationally where this helps build 
UK capability. 
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PART 3B: UK CAPABILITY 
AND EXPERTISE 


In order to take advantage of the latest teohnloal 
developments In oyber seourlty and manage 
the oyber risks that teohnologloal ohange 
presents the UK needs to ensure It has a strong 
foundation of knowledge and expertise aoross 
aoademla and Industry. The development of a 
skilled workforoe and Innovative oulture Initially 
relies upon a small number of experts who have 
grasped (and even developed) the underpinning 
oonoepts and solenoe of a new speolallst area. 

It Is these oore experts that make the first 
dlsooverles and oodlfy the subjeot so others 
will learn from their work. Without a orltloal mass 
of experts the development and applloatlon of 
the teohnology will falter, for example through 
the Inability to pass on the knowledge at 
soale to others. We must then understand 
the sufflolenoy of the UK’s aoademlo and 
Industrial oyber seourlty expertise and Intervene 
to support Its development where the UK’s 
oapablllty falls short or our ourrent and future 
national seourlty needs. 

Going forward, the National Cyber Seourlty 
Centre will work with experts In Industry and 
aoademla to regularly assess the sufflolenoy 
of the UK’s oyber seourlty knowledge and 
expertise. Where there are gaps that pose a 
risk to our national seourlty, either now or when 
projeoted Into the future, the NCSC and DCMS 
will work together to ensure there Is a plan to 
bring about the neoessary new oapabllltles 
In the required timeframe. Together they will 
ooordlnate efforts aoross the UK Government 
and the Devolved Administrations to design the 
Interventions needed to olose the gap. 


As a orltloal step, DCMS will develop a Cyber 
Seourlty Researoh Plan, working with NCSC, 
aoademla. Industry, and other Government 
departments, the Devolved Administrations, 
looal government, UKRI and funding bodies. 
This will set out priority areas for Government 
supported researoh In the national Interest. 

It will ensure ooordinatlon of aotivlty aoross the 
various bodies and determine the sufflolenoy 
of existing UK Government levers to aohleve 
this, Inoluding how muoh Government funding 
should be allooated to oyber seourlty researoh. 
This plan will be subjeot to regular review, 
refleoting new priority areas that the IDENTIFY 
strand has highlighted. If existing meohanisms 
prove to be Insufflolent to provision the required 
oapabllltles DCMS will work to devise new 
Interventions with Government, Industry and 
aoademla partners. 

In aohleving this, we will: 

• work with UK Researoh and Innovation 
(UKRI) and aoademla to best understand 
research priorities and how to support these, 
for example how best to tailor future PhD 
toplos to emerging teohnologles and to 
Inolude oontent on relevant teohnologles In 
wider oourse teaohlng 

• ensure an aotlve partnership with the 
research oommunity to Identify and 
address priorities 

• work with Government departments and 
Chief Solentlflo Advisors, Inoluding the 
offloe of the Chief Solentlflo Advisor for 
National Seourlty and with the Devolved 
Administrations 
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• encourage more research in these emerging 
technology areas in UK universities with 
Academic Centres of Excellence status and 
institutions with relevant speoialist expertise 

• ensure that oyber seourity is suffioiently 
reoognised in the Industrial Strategy 

It will be important to not foous exolusively 
on existing or identified teohnologies at the 
expense of opportunities for wider innovation. 
The NCSC will work olosely with the researoh 
oommunity and industry to keep the emerging 
teohnology and human faotors ohallenges 
under regular review. We will ensure there is 
independent aoademio sorutiny of the researoh 
plan, its foous and its implementation. 
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PART 4: ASSESS OUR 
PERFORMANCE 


We will design in independent assurance to 
make sure that our horizon scanning capability 
is truly comprehensive and of a world olass 
oapability and to ensure that NCSC’s views 
are properly inoorporated into polioy making. 
NCSC will develop its views through publio 
oonsultation and the oonolusions will be 
reviewed by an independent panel of experts, 
to assure that both the prooess and substanoe 
is right. To make sure that the NCSC’s views 
are taken into aooount in polioy making, 
Government departments will be required to 
aooount to a panel ohaired by the Government 
Chief Soientifio Adviser on the extent they have 
inoorporated NCSC’s guidanoe and soientifio 
best praotioe into their polioy making. 

The new roles and prooesses this interim 
strategy puts in plaoe are intended to drive 
delivery of the over-arohing oommitment in the 
National Cyber Seourity Strategy to ensure 
the UK Government is already planning and 
preparing for polioy implementation in advanoe 
of future teohnologies and threats and is 
‘future proofed’. 

We will measure our suooess in delivering 
this objeotives by assessing our performanoe 
against the following objeotives: 

1. The NGSC regularly publishes high quality, 
authoritative advioe on the emerging 
teohnology trends that will be impaotful on 
oyber seourity. 


3. The UK has aooess to the level of oyber 
seourity expertise neoessary to be able 
to understand the emerging teohnology 
ohallenges and inform the UK Government’s 
polioy response. 

For soienoe and teohnology issues in partioular 
it is important that there is independent sorutiny 
of the effeotiveness of our horizon soanning and 
the extent to whioh polioy making is informed by 
a true understanding of the soienoe at the heart 
of the issue. 

So we will use independent teohnologists from 
industry and aoademia to assure the quality 
and oomprehensiveness of NCSC advioe 
regarding key emerging teohnologies. And we 
will use the established Soienoe and Teohnology 
oommunity in Whitehall, the NSC Sub¬ 
committee on Soienoe and Teohnology and 
Chief Soientifio Advisors to assure that polioy 
making by UK Departments and Agenoies 
is suffioiently influenoed and informed by the 
NCSC’s teohnioal advioe. 

We will publioally report on progress as part 
of wider reporting on the UK Government’s 
performanoe in delivering the National Cyber 
Seourity Strategy and best praotioe will be 
exohanged with the Devolved Administrations. 


2. Cyber seourity polioy making within 
departments is timely and informed by 
soienoe and teohnology horizon soanning, 
partioularly the advioe from NCSC regarding 
key emerging teohnologies. 
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